Plugin

The GEO my WP plugin for WordPress is vulnerable to SQL Injection (CVE-2026-9757) via the 'swlatlng' and 'nelatlng' parameters, allowing unauthenticated attackers to extract sensitive information from the database by injecting SQL queries into a BETWEEN clause.

The Spectra Gutenberg Blocks WordPress plugin is vulnerable to remote code execution, allowing authenticated attackers with Contributor access or higher to execute arbitrary code by crafting a malicious two-block payload within post content.

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the REST API endpoint, allowing unauthenticated attackers to delete arbitrary user accounts due to a flawed permission check and lack of role validation.

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery (CVE-2026-6075) due to missing nonce verification, allowing unauthenticated attackers to trick an administrator into performing unauthorized bulk actions.

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS), allowing unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user accesses the injected page, affecting versions up to and including 0.9.0.

The OTP Login With Phone Number, OTP Verification plugin for WordPress versions 1.8.50 through 1.8.60 is vulnerable to authentication bypass due to improper validation of the Firebase session, allowing unauthenticated attackers to authenticate as arbitrary users, including administrators, by supplying a victim's phone number.

The WP Maps Pro plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8732), allowing unauthenticated attackers to create administrator accounts and take over vulnerable sites.

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2026-7052) via the 'file_upload' parameter in versions up to 2.8.2, allowing unauthenticated attackers to inject arbitrary web scripts.

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to remote code execution (RCE) via the 'callback_raw' shortcode attribute, allowing authenticated attackers with author-level access or higher to execute arbitrary code on the server.

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters (CVE-2026-8143) in versions up to 2.1.6, potentially leading to arbitrary script execution in the administrator's browser.

The LiteSpeed Cache plugin for WordPress is vulnerable to stored Cross-Site Scripting (XSS) via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints, affecting versions up to 7.7, allowing unauthenticated attackers to inject arbitrary JavaScript into CCSS/UCSS content by bypassing IP-based access controls.

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability (CVE-2018-25352) that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter, potentially leading to privilege escalation.

WordPress Contact Form Maker Plugin version 1.12.20 is vulnerable to SQL injection, enabling authenticated attackers to manipulate database queries via AJAX actions (FormMakerSQLMapping and generete_csv_fmc) by injecting malicious SQL code through the 'name' and 'search_labels' parameters, potentially extracting sensitive database information or escalating privileges.

WordPress Form Maker Plugin version 1.12.24 and below is vulnerable to SQL injection, allowing authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv actions via crafted POST requests, potentially leading to data extraction, modification, or privilege escalation.

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check (CVE-2026-6898), allowing authenticated attackers with subscriber-level access or higher to update the REST API Secret Key, create administrator accounts, and achieve complete site takeover.

CVE-2026-6897 is a critical vulnerability in the Wishlist Member plugin for WordPress, allowing authenticated attackers with subscriber-level access to modify plugin settings, including the REST API secret key, ultimately enabling them to create administrator accounts and take over the entire site.

The WishList Member plugin for WordPress is vulnerable to Missing Authorization, allowing attackers to obtain the REST API Secret Key and escalate privileges to administrator.

The WishList Member plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6419) due to a missing capability and nonce check in the ajax_get_screen() function, allowing authenticated attackers with subscriber-level access to retrieve the plugin's REST API Secret Key and create administrator accounts, leading to complete site takeover.

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference (CVE-2026-8679) in versions up to 2.0.2, allowing unauthenticated attackers to view track metadata of any playlist, regardless of its status.

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in versions up to 5.6, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution if a signature custom field is added to the booking form.

The Creative Mail plugin for WordPress is vulnerable to SQL Injection due to insufficient escaping of the 'checkout_uuid' parameter and lack of sufficient preparation on the SQL query in the `has_checkout_consent()` method, allowing unauthenticated attackers to extract sensitive information from the database.

9router versions 0.4.30 to 0.4.33 are vulnerable to unauthenticated remote code execution, allowing network-adjacent attackers to execute arbitrary OS commands by registering and triggering malicious plugins through unprotected API endpoints.

The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution.

The Piotnet Addons for Elementor Pro plugin for WordPress, versions up to 7.1.70, is vulnerable to unauthenticated arbitrary file upload due to insufficient file type validation in the 'pafe_ajax_form_builder' function, potentially leading to remote code execution.

WordPress Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability (CVE-2021-47977) that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter in requests to admin-ajax.php.

Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field, allowing attackers to access sensitive files, and a stored XSS vulnerability due to improper input sanitization, leading to arbitrary script execution in the context of affected users (CVE-2020-37245).

Supsystic Pricing Table plugin version 1.8.7 contains an SQL injection vulnerability via the 'sidx' GET parameter, enabling unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action, as well as stored XSS vulnerabilities.

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6228) in versions up to and including 3.28.36, allowing unauthenticated attackers to gain administrator privileges.

The Form Notify plugin for WordPress is vulnerable to CVE-2026-5229, an authentication bypass, due to trusting user-controlled cookie data after a LINE OAuth login, allowing unauthenticated attackers to gain administrative access.

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss (CVE-2026-4094) due to a missing capability check, allowing authenticated attackers with Contributor-level access or higher to delete the multi-currency configuration.

The InfusedWoo Pro plugin for WordPress is vulnerable to arbitrary file read in versions up to 5.1.2, allowing unauthenticated attackers to make web requests to arbitrary locations, potentially querying and modifying information from internal services.

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in versions up to 5.1.2 due to missing authorization checks in the infusedwoo_gdpr_upddata() function, allowing authenticated attackers to grant themselves administrator privileges.

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in versions up to 1.4.107 due to insufficient file path validation in the become-dealer logo upload flow, allowing authenticated attackers with subscriber level access and above to delete arbitrary files on the server.

The Fluent Forms plugin for WordPress is vulnerable to authorization bypass via a user-controlled key (CVE-2026-5396), allowing authenticated attackers with restricted access to specific forms to manipulate submissions of unauthorized forms by spoofing the 'form_id' parameter.

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to local file inclusion (LFI) via the 'path' parameter in the 'get_content' AJAX action, allowing authenticated attackers with Author-level access or higher to include and execute arbitrary PHP files, leading to potential code execution.

The MonsterInsights WordPress plugin through 10.1.2 is vulnerable to unauthorized access and data modification, allowing authenticated attackers with subscriber-level access to retrieve Google OAuth tokens and reset Google Ads integration due to missing capability checks on `get_ads_access_token()` and `reset_experience()` functions.

The Court Reservation – Manage Your Court Bookings Online plugin for WordPress versions 1.10.11 and earlier are vulnerable to SQL injection via the 'id' parameter, enabling unauthenticated attackers to extract sensitive database information.

The LifePress plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping within the `lp_update_mds` AJAX action, allowing unauthenticated attackers to inject arbitrary web scripts via the 'n' parameter that execute when a user accesses the injected page; this affects versions up to and including 2.2.2.

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 6.8.8 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into the admin statistics page.

The User Frontend WordPress plugin is vulnerable to authenticated deserialization, allowing subscriber-level attackers to inject PHP objects for potential arbitrary code execution.

The Slider Revolution plugin for WordPress is vulnerable to arbitrary file upload due to insufficient file type validation, allowing authenticated attackers with subscriber-level access or higher to upload executable files, potentially leading to remote code execution.

The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions, allowing unauthenticated attackers to extract sensitive information from the database.

The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in versions up to 2.5.9, allowing unauthenticated attackers to extract sensitive information from the database.

The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in versions up to 3.4.11, allowing unauthenticated attackers to extract sensitive information from the database.

The Forminator Forms WordPress plugin is vulnerable to an unauthenticated path traversal that allows reading arbitrary files on the server when specific features are enabled.

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5, potentially allowing unauthenticated attackers to extract sensitive information from the database.

The Mentoring plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to register with administrator-level user accounts due to improper role restriction in the mentoring_process_registration() function.

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.

The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.

A time-based SQL injection vulnerability (CVE-2026-4061) exists in the Geo Mashup WordPress plugin (<= 1.13.18) due to insufficient sanitization of the 'map_post_type' parameter, enabling unauthenticated attackers to extract sensitive information via time-based blind SQL injection if the Geo Search feature is enabled.

The Widget Options plugin for WordPress is vulnerable to Remote Code Execution (CVE-2026-2052) due to insufficient input sanitization in the Display Logic feature, allowing authenticated attackers with Contributor-level access and above to execute arbitrary code on the server.

The PixelYourSite Pro WordPress plugin is vulnerable to server-side request forgery (SSRF), allowing unauthenticated attackers to make arbitrary web requests from the server, potentially querying or modifying internal services.

The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.9.2, allowing unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with malicious code by tricking a site administrator into clicking a link.

Jenkins released a security advisory on April 29, 2026, detailing vulnerabilities in Credentials Binding Plugin, GitHub Plugin, GitHub Branch Source Plugin, HTML Publisher Plugin, Matrix Authorization Strategy Plugin, Microsoft Entra ID Plugin, and Script Security Plugin, urging users to apply necessary updates.

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives, allowing attackers to install malicious plugins and compromise the local assistant environment.

The HTTP Headers WordPress plugin is vulnerable to remote code execution (RCE) due to insufficient validation of the htpasswd file path and lack of sanitization of the username, allowing authenticated administrators to write arbitrary code to the server.

OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability (CVE-2026-41295) allowing attackers to execute unintended code by cloning a workspace with a malicious plugin claiming a bundled channel id.

The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.

A missing authorization vulnerability in the Plisio Accept Cryptocurrencies with Plisio WordPress plugin (versions up to 2.0.5) allows attackers to bypass payment verification due to incorrectly configured access control security levels.

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter within 'product_data' of the `/wp-json/InkXEProductDesignerLite/add-item-to-cart` REST API endpoint, allowing unauthenticated attackers to extract sensitive information from the database.

The Riaxe Product Customizer plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to update arbitrary WordPress options via a publicly accessible AJAX endpoint and escalate privileges to administrator.

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.

A path traversal vulnerability in Helm versions 4.0.0 to 4.1.3 allows a malicious plugin to write files to arbitrary locations on the filesystem, leading to potential system compromise.

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access or higher to uninstall/deactivate the plugin and delete plugin options, and is also exploitable via Cross-Site Request Forgery.

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system allowing unauthenticated remote code execution and system takeover.

The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.

The Gerador de Certificados – DevApps WordPress plugin is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.

The ProfilePress WordPress plugin before 4.16.12 is vulnerable to an unauthorized membership payment bypass, allowing authenticated attackers to obtain paid memberships without payment by manipulating subscription IDs during checkout.

The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.

The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter, allowing unauthenticated attackers to extract sensitive database information in versions up to 2.4.8.

CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Form Maker by 10Web WordPress plugin is vulnerable to SQL Injection via the 'inputs' parameter in versions up to 1.15.42, allowing unauthenticated attackers to extract sensitive information from the database.

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated attackers with Contributor-level access or higher to make arbitrary requests and retrieve sensitive information from internal services.

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.

An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.

The MoreConvert Pro plugin for WordPress versions 1.9.14 and earlier is vulnerable to authentication bypass due to improper handling of guest waitlist verification tokens, allowing unauthenticated attackers to potentially gain administrative access.

A Metasploit module exploits Atlassian Confluence servers by deploying a malicious Java plugin that downloads Meterpreter, granting the attacker full control over the compromised system.

The LatePoint WordPress plugin is vulnerable to stored XSS via the booking_form_page_url parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user accesses the injected page.

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to 1.2.2, allowing unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution by exploiting a nopriv AJAX route and uploading malicious ZIP files.

The GeekyBot WordPress plugin is vulnerable to SQL Injection, allowing unauthenticated attackers to extract sensitive information from the database by manipulating the 'attributekey' parameter.

The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.